Re: [exim] Default enabling of dnsdb

Top Pagina
Delete this message
Reply to this message
Auteur: Mike Cardwell
Datum:  
Aan: exim-users
Onderwerp: Re: [exim] Default enabling of dnsdb
W B Hacker wrote:

>> At the moment, the only live example in my real configs is this:
>> ----------------------------8< cut here >8------------------------------
>> # We don't filter on SPF in the normal case as it breaks forwarding.  However,
>> # if the sender domain claims that it never sends mail, then there's nothing
>> # legitimate to have been forwarded, so we can drop that at least.  Some people
>> # are polite and note when they don't send email (eg, globnix.com).
>> # Thanks to Mike Cardwell for the nudge to actually implement the check and for
>> # the lookup which avoids an experimental-Exim dependency.
>>   deny    condition     = ${if eq{${lookup dnsdb{defer_never,txt=$sender_address_domain}}}{v=spf1 -all}}
>>           message       = SPF records for $sender_address_domain explicitly state this domain should never send email
>> ----------------------------8< cut here >8------------------------------

>>
>> (globnix.com being mine). I value having a test which is small and
>> simple, avoids linking in a bunch of additional bloat which I'll likely
>> never use and find the flexibility of dnsdb here to be of great use in
>> implementing the only subset of the SPF functionality which I actually
>> use. The flexibility of dnsdb greatly exceeds its cost.
>>
>> I just checked my logs for what this rule is catching and was pleasantly
>> surprised. Thanks, Mike. :)
>>
>> -Phil
>>
>
> Phil,
>
> No doubt the code does what you say it does.
>
> But not clear to me why (or at what 'phase') that sort of check would be
> needed at all.
>
> What have I missed?


Quite a lot of domains have an SPF record of "v=spf1 -all". I never
found out *why* this is the case, but it is.

That particular SPF record is a clear policy of "This domain DOES NOT
send mail," so you don't have to worry about email forwarding or any of
the other issues with SPF.

You can use that quoted rule at any point after and including
"acl_smtp_mail" to reject email with domains in the sender envelope,
containing that SPF record.

In *fact*, you could implement an entire fully featured framework for
doing SPF lookups using dnsdb and standard Exim expansions and acl
configuration without even needing to go anywhere near libspf. I might
leave that one for a rainy day.

--
Mike Cardwell
(https://secure.grepular.com/) (http://perlcv.com/)